Alert | ||||
---|---|---|---|---|
| ||||
|
Content
Table of Contents |
---|
This is still a WIP page but be sure to read at least the "Be safe" Warning
...
What is this page about?
This page is about security as in "external security". In other words it's not about authentication nor authorisation, for that refer to OFBiz Security Permissions.
But
...
about keeping your
...
OFBiz instance secure from external exploits, and prevent vulnerabilities as soon as they are known.
You can trust the Apache OFBiz PMC Members and Committers, we do our best their best to keep OFBiz secure. But despite our best efforts we migth might sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/downloadsecurity.html, we strongly encourage OfBiz OFBiz users to report security problems affecting OFBiz to the private security mailing list of the ASF Security TeamOFBiz project (security AT ofbiz.apache.org), before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact informationdetails. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.
Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the infamous 2015 Java unserialize vulnerability. OFBiz was affected by 2 librairires: Commons Collections
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
...
title | Be safe! |
---|
...
Also you should update your release version as soon as a security update is mentioned at https://ofbiz.apache.org/download.html#vulnerabilities.
If you are using a release branch rather than a released package, as soon as the release branch contains the security update, you should update ("svn up") your working copy, test and apply in production...
You might refer to
Jira | ||||||
---|---|---|---|---|---|---|
|
From what you can see there you can secure OFBiz using "-javaagent:pathTo/contrast-rO0.jar" in your starting script". and will be covered from these vulnerabilities which exist OOTB as long as we don't solve OFBIZ-6568
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.MethodClosure
Those are already covered by OFBIZ-6726
- org.apache.commons.collections.functors.InvokerTransformer
- org.apache.commons.collections4.functors.InvokerTransformer
- org.apache.commons.collections.functors.InstantiateTransformer
- org.apache.commons.collections4.functors.InstantiateTransformer
We don't use
- org.springframework.beans.factory.ObjectFactory
But if you do you be sure to fix your issue or use "-javaagent:pathTo/contrast-rO0.jar" in your starting script"
for details on security.
Warning | ||
---|---|---|
| ||
Be sure to read The infamous Java serialization vulnerability page if, within your OFBiz instance, you use/add RMI, JMX, Spring, or/and any external librairies not included in OFBiz out of the box. |
Who is concerned?
...
Roughly there are 3 categories of OFBiz users:
- Those who use OFBiz only in an internal manner, without any connections with the Internet, most of the time only the OFBiz backend is then used. They should be the less concerned.
But this category tends to be less and less represented. Nowaydays Nowadays most of the organisations need somehow to be connected. - Users working in a secured environment, notably through firewalls and proxies. They should less fear security vulnerabilities. But you can't never be sure, black malicious hackers, sometimes called crackers, are always trying...
- Users working in a less secure environment. For instance using the Out Of The Box (OOTB) OFBiz ecommerce/ecomseo solutions with a direct access from the Internet to it.
In any cases, always check that your version is up to date, see the . Get tothe "Security Vulnerabilities" section at https://ofbiz.apache.org/download.html. page at bottom of the OFBiz site. If you use the trunk be sure to closely follow JIRA issues and revisions commits regarding security and check
Jira | ||||||
---|---|---|---|---|---|---|
|
How to check yourself, and possibly share and help
Now you might wonder how to yourself keep your own OFBiz instance safe from vulnerabilities and maybe how to contribute your experience to other OFBiz users. Having worked on the OFBiz security for few years, these are the tools I (Jacques Le Roux) personnaly personaly recommend. For each I will explain it's explained in specific pages how they work and how to share your results.
...
Java
Currently we have no known Java vulnerabilities in OFBiz code. There are some vulnerable third parties libraries. Fortunately it's not high vulnerabilities. As you can see on our README file we use SonarCloud and soon CodeQL to check for our vulnerability during our Continuous Integration process on GitHub. We also use Checkstyle for a better code before pushing changes in Git repo.
JavaScript
For JavaScript we use Retire.js see this page: About retire.js. As you can see on our README file we also use CodeQL to check for vulnerabilities during our Continuous Integration process on GitHub. And we use npm audit before pushing changes in Git repo.
HTTP headers
For HTTP headers: https://cyh.herokuapp.com/cyh.
...
This page gives more information: How to Secure HTTP Headers
File Upload
Since
Jira | ||||||
---|---|---|---|---|---|---|
|
For your own safety in production you might be interested by https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
Penetration tools
There are web oriented tools like Burp Suite Community Edition, There are other web oriented, tools like OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here. To work on security vulnerability reports I use Burp Suite Community Edition.
Another simpler but not to be negledted tool is the security option of Spotbug. I use it as an Eclipse plugin.
Tomcat 9 & AJP
Despite
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
OOTB the Tomcat default values are used as recommended by https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
But OOTB secretRequired value must be false because secret value is empty. Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works.
So if you want to use AJP you need to set the values depending on your configuration. Using
".*" to allowedRequestAttributesPattern put you at risk.